Clay Haynes, Senior Network Security Engineer at Twitter

Menu

Conditional Route Advertising on SRX

Junos is a very powerful networking operating system, and by harnessing it we can perform more unusual tasks than we could with other alternatives. Today I will discuss a more unusual scenario to utilize conditional router advertisements and NAT to provide access to services. When the network is unavailable then the SRX will automatically disable its advertised routes.

Conditional Route Advertising allows a network engineer to put in criteria on route advertisements before they are installed in the route table or advertised to peers/neighbors. More information on this can be found here. In the example below I will configure conditional route advertisement on an SRX.

In the scenario above the SRX must advertise the route 1.1.1.0/24 to AS1111 if the route 192.168.1.0/24 exists on the SRX which is advertised from the iBGP neighbor. Moreover the SRX will NAT 1.1.1.1 to 192.168.1.1 to make a Web Application available publicly. Below is the basic configuration for interfaces, zones, and BGP:

In a typical Junos-based router, usually setting the discard route would drop all traffic in the 1.1.1.0/24 network. So why does it work on the SRX? The key point here is to review when flow-based Junos performs the route lookup:

Route lookups are performed after the Static NAT is applied. In this case the SRX will first NAT to the destination address of 192.168.1.1, and then perform the route lookup! Because of this the packet is treated as routable, and the SRX will forward the packet.